While playing CTF, I found a interesting idea so I note in here.
● ezphp(fixed)
You can find a hint to solve this problem in Header. When you enter the site, you can find response header like this.
The point is the version of PHP. PHP 5.3.x Version has "HEAD Method Trick" vulnerability.
To solve this challenge, you must use "HEAD" method to bypass code "$_SESSION["admin"]=0;". That is to say you send HEAD method to break the code and stop at "echo" not to run code "$_SESSION["admin"]=0". As a result, you can get flag.
About "HEAD Method Trick" in PHP version 5.3.x
When "HEAD" method is used, PHP stops on the first output. How does it work like this? Let's check PHP code.
// php-5.3.5\main\SAPI.c line 315:
if (SG(request_info).request_method &&
!strcmp(SG(request_info).request_method, "HEAD")) {
SG(request_info).headers_only = 1;
php-5.3.5\main\output.c line 699
(fucntion php_ub_body_write which is executed when
output data arrives):
if (SG(request_info).headers_only) {
if(SG(headers_sent)) {
return 0;
}
php_header(TSRMLS_C);
zend_bailout(); // <--- this will stop script
}In short, function named "zend_bailout()" has script stop where "echo" function exists. This provides some security holes.
Examples
<?php
session_start();
$_SESSION[’admin’]=1;
if (!isset($_POST[’pass’]) || $_POST[’pass’]!=’somepassword’)
{
echo ’<b>Wrong or empty password.</b><br>’;
$_SESSION[’admin_level’]=0;
}
?>If attacker use HEAD method, "$_SESSION['admin_level']" will stay set to 1 because script stops running in the middle. It's vulnerable.
<?php
$line=’Nick: ’.htmlspecialchars($_POST[’nick’]).’<br>
Text: ’.htmlspecialchars($_POST[’text’]).’<hr>’;
$f=fopen("book.txt","r");
$data=fread($f,filesize("book.txt"));
fclose($f);
$f=fopen("book.txt","w");
$data=$line.$data;
echo $data;
fwrite($f,$data);
fclose($f);
?>If attacker opens that script while using HEAD method, the script will stop "echo $data". As a result, no input in book.txt so it will be empty.